没有合适的资源?快使用搜索试试~ 我知道了~
资源推荐
资源详情
资源评论
The Linux-PAM Module Writers' Guide
Andrew G. Morgan <morgan@kernel.org>
Thorsten Kukuk <kukuk@thkukuk.de>
The Linux-PAM Module Writers' Guide
by Andrew G. Morgan and Thorsten Kukuk
Version 1.0, 3. April 2008
Abstract
This manual documents what a programmer needs to know in order to write a module that conforms to the Linux-PAM
standard.It also discusses some security issues from the point of view of the module programmer.
iii
1. Introduction ................................................................................................................... 1
1.1. Description .......................................................................................................... 1
1.2. Synopsis ............................................................................................................. 1
2. What can be expected by the module ................................................................................. 2
2.1. Getting and setting PAM_ITEMs and data ............................................................... 2
2.1.1. Set module internal data .............................................................................. 2
2.1.2. Get module internal data ............................................................................. 3
2.1.3. Setting PAM items ..................................................................................... 3
2.1.4. Getting PAM items .................................................................................... 5
2.1.5. Get user name ........................................................................................... 6
2.1.6. The conversation function ............................................................................ 7
2.1.7. Set or change PAM environment variable ....................................................... 9
2.1.8. Get a PAM environment variable ................................................................ 10
2.1.9. Getting the PAM environment .................................................................... 10
2.2. Other functions provided by libpam .................................................................... 10
2.2.1. Strings describing PAM error codes ............................................................. 10
2.2.2. Request a delay on failure .......................................................................... 11
3. What is expected of a module ......................................................................................... 13
3.1. Overview .......................................................................................................... 13
3.1.1. Functional independence ............................................................................ 13
3.1.2. Minimizing administration problems ............................................................ 13
3.1.3. Arguments supplied to the module ............................................................... 13
3.2. Authentication management .................................................................................. 14
3.2.1. Service function for user authentication ........................................................ 14
3.2.2. Service function to alter credentials ............................................................. 14
3.3. Account management .......................................................................................... 15
3.3.1. Service function for account management ..................................................... 16
3.4. Session management ........................................................................................... 16
3.4.1. Service function to start session management ................................................. 16
3.4.2. Service function to terminate session management .......................................... 17
3.5. Authentication token management .......................................................................... 17
3.5.1. Service function to alter authentication token ................................................. 18
4. Generic optional arguments ............................................................................................. 20
5. Programming notes ........................................................................................................ 21
5.1. Security issues for module creation ........................................................................ 21
5.1.1. Sufficient resources .................................................................................. 21
5.1.2. Who´s who? ............................................................................................ 21
5.1.3. Using the conversation function .................................................................. 21
5.1.4. Authentication tokens ................................................................................ 22
5.2. Use of syslog(3) ................................................................................................. 22
5.3. Modules that require system libraries ..................................................................... 23
6. An example module ....................................................................................................... 24
7. See also ....................................................................................................................... 25
8. Author/acknowledgments ................................................................................................ 26
9. Copyright information for this document ........................................................................... 27
1
Chapter 1. Introduction
1.1. Description
Linux-PAM (Pluggable Authentication Modules for Linux) is a library that enables the local system
administrator to choose how individual applications authenticate users. For an overview of the Linux-PAM
library see the Linux-PAM System Administrators' Guide.
A Linux-PAM module is a single executable binary file that can be loaded by the Linux-PAM interface
library. This PAM library is configured locally with a system file, /etc/pam.conf, to authenticate
a user request via the locally available authentication modules. The modules themselves will usually be
located in the directory /lib/security (or /lib64/security, depending on the architecture)
and take the form of dynamically loadable object files (see dlopen(3). Alternatively, the modules can be
statically linked into the Linux-PAM library; this is mostly to allow Linux-PAM to be used on platforms
without dynamic linking available, but this is a deprecated functionality. It is the Linux-PAM interface that
is called by an application and it is the responsibility of the library to locate, load and call the appropriate
functions in a Linux-PAM-module.
Except for the immediate purpose of interacting with the user (entering a password etc..) the module
should never call the application directly. This exception requires a "conversation mechanism" which is
documented below.
1.2. Synopsis
#include <security/pam_modules.h>
gcc -fPIC -c pam_module.c
gcc -shared -o pam_module.so pam_module.o -lpam
2
Chapter 2. What can be expected by
the module
Here we list the interface that the conventions that all Linux-PAM modules must adhere to.
2.1. Getting and setting PAM_ITEMs and data
First, we cover what the module should expect from the Linux-PAM library and a Linux-PAM aware
application. Essesntially this is the libpam.* library.
2.1.1. Set module internal data
#include <security/pam_modules.h>
int pam_set_data(pamh, module_data_name, data, (*cleanup)(pam_handle_t
*pamh, void *data, int error_status));
pam_handle_t *pamh;
const char *module_data_name;
void *data;
void (*cleanup)(pam_handle_t *pamh, void *data, int error_status);
2.1.1.1. DESCRIPTION
The pam_set_data function associates a pointer to an object with the (hopefully) unique string
module_data_name in the PAM context specified by the pamh argument.
PAM modules may be dynamically loadable objects. In general such files should not contain static
variables. This function and its counterpart pam_get_data(3), provide a mechanism for a module to
associate some data with the handle pamh. Typically a module will call the pam_set_data function to
register some data under a (hopefully) unique module_data_name. The data is available for use by other
modules too but not by an application. Since this functions stores only a pointer to the data, the module
should not modify or free the content of it.
The function cleanup() is associated with the data and, if non-NULL, it is called when this data is
over-written or following a call to pam_end(3).
The error_status argument is used to indicate to the module the sort of action it is to take in cleaning this
data item. As an example, Kerberos creates a ticket file during the authentication phase, this file might be
associated with a data item. When pam_end(3) is called by the module, the error_status carries the return
value of the pam_authenticate(3) or other libpam function as appropriate. Based on this value the Kerberos
module may choose to delete the ticket file (authentication failure) or leave it in place.
The error_status may have been logically OR'd with either of the following two values:
PAM_DATA_REPLACE When a data item is being replaced (through a second call to pam_set_data)
this mask is used. Otherwise, the call is assumed to be from pam_end(3).
PAM_DATA_SILENT Which indicates that the process would prefer to perform the cleanup()
quietly. That is, discourages logging/messages to the user.
剩余29页未读,继续阅读
资源评论
Joy-橘子
- 粉丝: 76
- 资源: 22
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功